Google mulling action against Symantec over improper SSL certificates

25 Mar 2017

Google is mulling strict action against Symantec for repeated incidents in which Symantec or its certificate resellers improperly issued SSL certificates.

Among the options on the table was to force the company to replace all of its customers' certificates and to stop recognising the extended validation (EV) status of those that have it.

A Netcraft survey conducted in 2015 had found that Symantec was responsible for about one in every three SSL certificates used on the web, which made it the largest commercial certificate issuer in the world.

Thanks to a slew of acquisitions over the years Symatec now controlls the root certificates of several formerly standalone certificate authorities including VeriSign, GeoTrust, Thawte and RapidSSL.

SSL/TLS certificates are used to encrypt the connections between browsers and HTTPS-enabled websites and to also verify that users were actually visiting the websites they intended to and not being rediredted to spoofed versions. These certificates are issued by organisations known as certificate authorities that are trusted by default in browsers and operating systems.

The process of issuing and managing certificates was governed by rules created by the CA/Browser Forum, which had members from browser vendors and certificate authorities.

The violation of the rules could entail revocation of trust of browser and OS vendors in the offending certificates. The responsible certificate authorities could also be sanctioned to the extent of kicking them out of their root certificate stores.

Meanwhile, Google's Chrome development team has posted a stinging criticism of Symantec's certificate-issuance practices, saying it had lost confidence in the company's practices and therefore in the safety of sessions secured by Symantec-issued certificates.

Google's post says, ''Since January 19, the Google Chrome team has been investigating a series of failures by Symantec Corporation to properly validate certificates. Over the course of this investigation, the explanations provided by Symantec have revealed a continually increasing scope of misissuance with each set of questions from members of the Google Chrome team; an initial set of reportedly 127 certificates has expanded to include at least 30,000 certificates, issued over a period spanning several years.''